Comments

: Does anyone have any ideas about how to detect an NT rootkit without : professional-level tools in the field? Assume,hypothetically that you : have no net access, a CD and possibly infected machine.: : What do you do?: A rootkit checker will be a good start. There's a free one here, along with some possibly intresting links.http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

(As usual, I query the community and find but one worthy of the challenge. That is admirable of the respondent but a tragedy for the community so lacking in interest in what is a serious security issue!)

1.) Sysinternals does produce a strong product. Those guys give me the tools I need to do all sorts of things daily, from regmon and filemon to PSTools. However, root kits are nefarious beasts which can easily dupe rootkit revealer--as is shown in their documentation.

2.) The challenge is to discover the rootkit with only a CD (presumably the Op/sys installation CD and no net access). Here lies the rub, what other tools (from these available resources would be necessary?

3.) Remember, the Op/sys has been trojanized. The counter-hack requires stepping outside the box. File sizes and versions may be altered (but a good rootkit can conceal this if the trojanized op/sys files are hexedited to contain the malicious code without altering the file size or version. Time stamps can then be spoofed. Otherwise a batch file could be constructed to compare files. Ahh....

4.) There lies the solution, perhaps! What if a batch file were to compare the op/sys files from a clean (CD) boot to known good files, identifying which files differ from the original? Could this reveal the root?

5.) What if the op/sys alters some arbitrary file during operation. Then the known good and operational unknown file could not be compared to find the root. Only those files which do not change could be eliminated from the problem.

[Note: This may be resolved by a collateral language project I am working on, which requires software components to authenticate themselves.]